Expansion and Evolution of the JDY Botnet
Cybersecurity researchers at Lumen’s Black Lotus Labs have identified a significant resurgence of the JDY botnet, a covert network linked to China-based state sponsored threat actors. The botnet has grown in size from approximately 650 compromised devices in early 2024 to more than 1,500 today. These devices consist primarily of small office and home office routers, firewalls, and IoT equipment that have been hijacked and repurposed for malicious scanning activities.
Operational Changes and Strategic Use
Following the U.S. government takedown of the related KV botnet in early 2024, operators of the JDY cluster made behavioral adjustments to avoid detection. The network now functions as a centrally controlled high performance scanner used to discover, fingerprint, and continuously map exposed services at scale. Researchers believe the botnet is either rented out to various hacking groups or used directly by the operators to conduct reconnaissance and identify vulnerable infrastructure shortly after new vulnerabilities are publicly disclosed.
Geographic Distribution and Industry Implications
Most of the compromised nodes are located in the United States and Brazil, with additional concentrations across Europe and Asia. The presence of infected devices in Brazil reflects a broader trend of botnets increasingly targeting victims in that region. This industrialized reconnaissance effort feeds structured data into a larger scanning ecosystem, which is then leveraged by Chinese nation state groups for follow on target identification and potential exploitation, marking a methodical approach to cyber espionage and attack preparation.
Source: The Hacker News
